--- /dev/null
+From 25717382c1dd0ddced2059053e3ca5088665f7a5 Mon Sep 17 00:00:00 2001
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+Date: Tue, 27 Jun 2017 17:34:42 +0800
+Subject: Bluetooth: bnep: fix possible might sleep error in bnep_session
+
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+
+commit 25717382c1dd0ddced2059053e3ca5088665f7a5 upstream.
+
+It looks like bnep_session has same pattern as the issue reported in
+old rfcomm:
+
+ while (1) {
+ set_current_state(TASK_INTERRUPTIBLE);
+ if (condition)
+ break;
+ // may call might_sleep here
+ schedule();
+ }
+ __set_current_state(TASK_RUNNING);
+
+Which fixed at:
+ dfb2fae Bluetooth: Fix nested sleeps
+
+So let's fix it at the same way, also follow the suggestion of:
+https://lwn.net/Articles/628628/
+
+Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: AL Yu-Chen Cho <acho@suse.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/bnep/core.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/net/bluetooth/bnep/core.c
++++ b/net/bluetooth/bnep/core.c
+@@ -484,16 +484,16 @@ static int bnep_session(void *arg)
+ struct net_device *dev = s->dev;
+ struct sock *sk = s->sock->sk;
+ struct sk_buff *skb;
+- wait_queue_t wait;
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+
+ BT_DBG("");
+
+ set_user_nice(current, -15);
+
+- init_waitqueue_entry(&wait, current);
+ add_wait_queue(sk_sleep(sk), &wait);
+ while (1) {
+- set_current_state(TASK_INTERRUPTIBLE);
++ /* Ensure session->terminate is updated */
++ smp_mb__before_atomic();
+
+ if (atomic_read(&s->terminate))
+ break;
+@@ -515,9 +515,8 @@ static int bnep_session(void *arg)
+ break;
+ netif_wake_queue(dev);
+
+- schedule();
++ wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
+ }
+- __set_current_state(TASK_RUNNING);
+ remove_wait_queue(sk_sleep(sk), &wait);
+
+ /* Cleanup session */
+@@ -666,7 +665,7 @@ int bnep_del_connection(struct bnep_conn
+ s = __bnep_get_session(req->dst);
+ if (s) {
+ atomic_inc(&s->terminate);
+- wake_up_process(s->task);
++ wake_up_interruptible(sk_sleep(s->sock->sk));
+ } else
+ err = -ENOENT;
+
--- /dev/null
+From f06d977309d09253c744e54e75c5295ecc52b7b4 Mon Sep 17 00:00:00 2001
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+Date: Tue, 27 Jun 2017 17:34:43 +0800
+Subject: Bluetooth: cmtp: fix possible might sleep error in cmtp_session
+
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+
+commit f06d977309d09253c744e54e75c5295ecc52b7b4 upstream.
+
+It looks like cmtp_session has same pattern as the issue reported in
+old rfcomm:
+
+ while (1) {
+ set_current_state(TASK_INTERRUPTIBLE);
+ if (condition)
+ break;
+ // may call might_sleep here
+ schedule();
+ }
+ __set_current_state(TASK_RUNNING);
+
+Which fixed at:
+ dfb2fae Bluetooth: Fix nested sleeps
+
+So let's fix it at the same way, also follow the suggestion of:
+https://lwn.net/Articles/628628/
+
+Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: AL Yu-Chen Cho <acho@suse.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/cmtp/core.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/net/bluetooth/cmtp/core.c
++++ b/net/bluetooth/cmtp/core.c
+@@ -280,16 +280,16 @@ static int cmtp_session(void *arg)
+ struct cmtp_session *session = arg;
+ struct sock *sk = session->sock->sk;
+ struct sk_buff *skb;
+- wait_queue_t wait;
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+
+ BT_DBG("session %p", session);
+
+ set_user_nice(current, -15);
+
+- init_waitqueue_entry(&wait, current);
+ add_wait_queue(sk_sleep(sk), &wait);
+ while (1) {
+- set_current_state(TASK_INTERRUPTIBLE);
++ /* Ensure session->terminate is updated */
++ smp_mb__before_atomic();
+
+ if (atomic_read(&session->terminate))
+ break;
+@@ -306,9 +306,8 @@ static int cmtp_session(void *arg)
+
+ cmtp_process_transmit(session);
+
+- schedule();
++ wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
+ }
+- __set_current_state(TASK_RUNNING);
+ remove_wait_queue(sk_sleep(sk), &wait);
+
+ down_write(&cmtp_session_sem);
+@@ -393,7 +392,7 @@ int cmtp_add_connection(struct cmtp_conn
+ err = cmtp_attach_device(session);
+ if (err < 0) {
+ atomic_inc(&session->terminate);
+- wake_up_process(session->task);
++ wake_up_interruptible(sk_sleep(session->sock->sk));
+ up_write(&cmtp_session_sem);
+ return err;
+ }
+@@ -431,7 +430,11 @@ int cmtp_del_connection(struct cmtp_conn
+
+ /* Stop session thread */
+ atomic_inc(&session->terminate);
+- wake_up_process(session->task);
++
++ /* Ensure session->terminate is updated */
++ smp_mb__after_atomic();
++
++ wake_up_interruptible(sk_sleep(session->sock->sk));
+ } else
+ err = -ENOENT;
+
--- /dev/null
+From 5da8e47d849d3d37b14129f038782a095b9ad049 Mon Sep 17 00:00:00 2001
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+Date: Tue, 27 Jun 2017 17:34:44 +0800
+Subject: Bluetooth: hidp: fix possible might sleep error in hidp_session_thread
+
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+
+commit 5da8e47d849d3d37b14129f038782a095b9ad049 upstream.
+
+It looks like hidp_session_thread has same pattern as the issue reported in
+old rfcomm:
+
+ while (1) {
+ set_current_state(TASK_INTERRUPTIBLE);
+ if (condition)
+ break;
+ // may call might_sleep here
+ schedule();
+ }
+ __set_current_state(TASK_RUNNING);
+
+Which fixed at:
+ dfb2fae Bluetooth: Fix nested sleeps
+
+So let's fix it at the same way, also follow the suggestion of:
+https://lwn.net/Articles/628628/
+
+Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
+Tested-by: AL Yu-Chen Cho <acho@suse.com>
+Tested-by: Rohit Vaswani <rvaswani@nvidia.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hidp/core.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -36,6 +36,7 @@
+ #define VERSION "1.2"
+
+ static DECLARE_RWSEM(hidp_session_sem);
++static DECLARE_WAIT_QUEUE_HEAD(hidp_session_wq);
+ static LIST_HEAD(hidp_session_list);
+
+ static unsigned char hidp_keycode[256] = {
+@@ -1068,12 +1069,12 @@ static int hidp_session_start_sync(struc
+ * Wake up session thread and notify it to stop. This is asynchronous and
+ * returns immediately. Call this whenever a runtime error occurs and you want
+ * the session to stop.
+- * Note: wake_up_process() performs any necessary memory-barriers for us.
++ * Note: wake_up_interruptible() performs any necessary memory-barriers for us.
+ */
+ static void hidp_session_terminate(struct hidp_session *session)
+ {
+ atomic_inc(&session->terminate);
+- wake_up_process(session->task);
++ wake_up_interruptible(&hidp_session_wq);
+ }
+
+ /*
+@@ -1180,7 +1181,9 @@ static void hidp_session_run(struct hidp
+ struct sock *ctrl_sk = session->ctrl_sock->sk;
+ struct sock *intr_sk = session->intr_sock->sk;
+ struct sk_buff *skb;
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+
++ add_wait_queue(&hidp_session_wq, &wait);
+ for (;;) {
+ /*
+ * This thread can be woken up two ways:
+@@ -1188,12 +1191,10 @@ static void hidp_session_run(struct hidp
+ * session->terminate flag and wakes this thread up.
+ * - Via modifying the socket state of ctrl/intr_sock. This
+ * thread is woken up by ->sk_state_changed().
+- *
+- * Note: set_current_state() performs any necessary
+- * memory-barriers for us.
+ */
+- set_current_state(TASK_INTERRUPTIBLE);
+
++ /* Ensure session->terminate is updated */
++ smp_mb__before_atomic();
+ if (atomic_read(&session->terminate))
+ break;
+
+@@ -1227,11 +1228,22 @@ static void hidp_session_run(struct hidp
+ hidp_process_transmit(session, &session->ctrl_transmit,
+ session->ctrl_sock);
+
+- schedule();
++ wait_woken(&wait, TASK_INTERRUPTIBLE, MAX_SCHEDULE_TIMEOUT);
+ }
++ remove_wait_queue(&hidp_session_wq, &wait);
+
+ atomic_inc(&session->terminate);
+- set_current_state(TASK_RUNNING);
++
++ /* Ensure session->terminate is updated */
++ smp_mb__after_atomic();
++}
++
++static int hidp_session_wake_function(wait_queue_t *wait,
++ unsigned int mode,
++ int sync, void *key)
++{
++ wake_up_interruptible(&hidp_session_wq);
++ return false;
+ }
+
+ /*
+@@ -1244,7 +1256,8 @@ static void hidp_session_run(struct hidp
+ static int hidp_session_thread(void *arg)
+ {
+ struct hidp_session *session = arg;
+- wait_queue_t ctrl_wait, intr_wait;
++ DEFINE_WAIT_FUNC(ctrl_wait, hidp_session_wake_function);
++ DEFINE_WAIT_FUNC(intr_wait, hidp_session_wake_function);
+
+ BT_DBG("session %p", session);
+
+@@ -1254,8 +1267,6 @@ static int hidp_session_thread(void *arg
+ set_user_nice(current, -15);
+ hidp_set_timer(session);
+
+- init_waitqueue_entry(&ctrl_wait, current);
+- init_waitqueue_entry(&intr_wait, current);
+ add_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
+ add_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
+ /* This memory barrier is paired with wq_has_sleeper(). See
netfilter-expect-fix-crash-when-putting-uninited-expectation.patch
netfilter-nat-fix-src-map-lookup.patch
netfilter-nfnetlink-improve-input-length-sanitization-in-nfnetlink_rcv.patch
+bluetooth-hidp-fix-possible-might-sleep-error-in-hidp_session_thread.patch
+bluetooth-cmtp-fix-possible-might-sleep-error-in-cmtp_session.patch
+bluetooth-bnep-fix-possible-might-sleep-error-in-bnep_session.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
